license_finder 6.8.2 → 6.12.0

data/lib/license_finder/cli/main.rb

@@ -19,7 +19,8 @@ module LicenseFinder
         'markdown' => MarkdownReport,
         'csv' => CsvReport,
         'xml' => XmlReport,
-        'json' => JsonReport
+        'json' => JsonReport,
+        'junit' => JunitReport
       }.freeze
 
       class_option :go_full_version, desc: 'Whether dependency version should include full version. Only meaningful if used with a Go project. Defaults to false.'
@@ -37,6 +38,9 @@ module LicenseFinder
       class_option :mix_command, desc: "Command to use when fetching packages through Mix. Only meaningful if used with a Mix project (i.e., Elixir or Erlang). Defaults to 'mix'."
       class_option :mix_deps_dir, desc: "Path to Mix dependencies directory. Only meaningful if used with a Mix project (i.e., Elixir or Erlang). Defaults to 'deps'."
       class_option :sbt_include_groups, desc: 'Whether dependency name should include group id. Only meaningful if used with a Scala/sbt project. Defaults to false.'
+      class_option :conda_bash_setup_script, desc: "Path to conda.sh script. Only meaningful if used with a Conda project. Defaults to '~/miniconda3/etc/profile.d/conda.sh'."
+      class_option :composer_check_require_only,
+                   desc: "Whether to only check for licenses from dependencies on the 'require' section. Only meaningful if used with a Composer project. Defaults to false."
 
       # Method options which are shared between report and action_item
       def self.format_option

data/lib/license_finder/configuration.rb

@@ -65,6 +65,10 @@ module LicenseFinder
       Pathname(path_prefix).expand_path
     end
 
+    def enabled_package_manager_ids
+      get(:enabled_package_managers)
+    end
+
     def logger_mode
       get(:logger)
     end
@@ -93,6 +97,10 @@ module LicenseFinder
       get(:pip_requirements_path)
     end
 
+    def conda_bash_setup_script
+      get(:conda_bash_setup_script)
+    end
+
     def python_version
       get(:python_version)
     end
@@ -137,6 +145,10 @@ module LicenseFinder
       get(:sbt_include_groups)
     end
 
+    def composer_check_require_only
+      get(:composer_check_require_only)
+    end
+
     attr_writer :strict_matching
 
     attr_reader :strict_matching

data/lib/license_finder/core.rb

@@ -24,7 +24,7 @@ module LicenseFinder
     # Default +options+:
     # {
     #   project_path: Pathname.pwd
-    #   logger: {},   # can include quiet: true or debug: true
+    #   logger: nil,   # can be :quiet or :debug
     #   decisions_file: "doc/dependency_decisions.yml",
     #   gradle_command: "gradle",
     #   rebar_command: "rebar",
@@ -93,6 +93,7 @@ module LicenseFinder
         project_path: config.project_path,
         log_directory: File.join(config.log_directory, project_name),
         ignored_groups: decisions.ignored_groups,
+        enabled_package_manager_ids: config.enabled_package_manager_ids,
         go_full_version: config.go_full_version,
         gradle_command: config.gradle_command,
         gradle_include_groups: config.gradle_include_groups,
@@ -107,7 +108,9 @@ module LicenseFinder
         mix_deps_dir: config.mix_deps_dir,
         prepare: config.prepare,
         prepare_no_fail: config.prepare_no_fail,
-        sbt_include_groups: config.sbt_include_groups
+        sbt_include_groups: config.sbt_include_groups,
+        conda_bash_setup_script: config.conda_bash_setup_script,
+        composer_check_require_only: config.composer_check_require_only
       }
     end
   end

data/lib/license_finder/decisions.rb

@@ -40,10 +40,15 @@ module LicenseFinder
     end
 
     def permitted?(lic)
-      return lic.sub_licenses.any? { |sub_lic| @permitted.include?(sub_lic) } if lic.is_a?(OrLicense)
-      return lic.sub_licenses.all? { |sub_lic| @permitted.include?(sub_lic) } if lic.is_a?(AndLicense)
-
-      @permitted.include?(lic)
+      if @permitted.include?(lic)
+        true
+      elsif lic.is_a?(OrLicense)
+        lic.sub_licenses.any? { |sub_lic| @permitted.include?(sub_lic) }
+      elsif lic.is_a?(AndLicense)
+        lic.sub_licenses.all? { |sub_lic| @permitted.include?(sub_lic) }
+      else
+        false
+      end
     end
 
     def restricted?(lic)
@@ -276,6 +281,13 @@ module LicenseFinder
       return result unless persisted
 
       actions = YAML.load(persisted)
+
+      list_of_actions = (actions || []).map(&:first)
+
+      if (list_of_actions & %i[whitelist blacklist]).any?
+        raise 'The decisions file seems to have whitelist/blacklist keys which are deprecated. Please replace them with permit/restrict respectively and try again! More info - https://github.com/pivotal/LicenseFinder/commit/a40b22fda11b3a0efbb3c0a021381534bc998dd9'
+      end
+
       (actions || []).each do |action, *args|
         result.send(action, *args)
       end

data/lib/license_finder/license.rb

@@ -19,10 +19,17 @@ module LicenseFinder
 
       def find_by_name(name)
         name ||= 'unknown'
-        return OrLicense.new(name) if name.include?(OrLicense.operator)
-        return AndLicense.new(name) if name.include?(AndLicense.operator)
-
-        all.detect { |l| l.matches_name? l.stripped_name(name) } || Definitions.build_unrecognized(name)
+        license = all.detect { |l| l.matches_name? l.stripped_name(name) }
+
+        if license
+          license
+        elsif name.include?(OrLicense.operator)
+          OrLicense.new(name)
+        elsif name.include?(AndLicense.operator)
+          AndLicense.new(name)
+        else
+          Definitions.build_unrecognized(name)
+        end
       end
 
       def find_by_text(text)

data/lib/license_finder/package.rb

@@ -198,3 +198,4 @@ require 'license_finder/packages/yarn_package'
 require 'license_finder/packages/sbt_package'
 require 'license_finder/packages/cargo_package'
 require 'license_finder/packages/composer_package'
+require 'license_finder/packages/conda_package'

data/lib/license_finder/package_manager.rb

@@ -22,6 +22,10 @@ module LicenseFinder
       def takes_priority_over
         nil
       end
+
+      def id
+        name.split('::').last.downcase
+      end
     end
 
     def installed?(logger = Core.default_logger)
@@ -123,12 +127,12 @@ module LicenseFinder
     end
 
     def log_errors_with_cmd(prep_cmd, stderr)
-      logger.info prep_cmd, 'did not succeed.', color: :red
-      logger.info prep_cmd, stderr, color: :red
-      log_to_file stderr
+      logger.info(prep_cmd, 'did not succeed.', color: :red)
+      logger.info(prep_cmd, stderr, color: :red)
+      log_to_file(prep_cmd, stderr)
     end
 
-    def log_to_file(contents)
+    def log_to_file(prep_cmd, contents)
       FileUtils.mkdir_p @log_directory
 
       # replace whitespace with underscores and remove slashes
@@ -136,7 +140,7 @@ module LicenseFinder
       log_file = File.join(@log_directory, "prepare_#{log_file_name || 'errors'}.log")
 
       File.open(log_file, 'w') do |f|
-        f.write("Prepare command \"#{prepare_command}\" failed with:\n")
+        f.write("Prepare command \"#{prep_cmd}\" failed with:\n")
         f.write("#{contents}\n\n")
       end
     end
@@ -171,5 +175,6 @@ require 'license_finder/package_managers/conan'
 require 'license_finder/package_managers/sbt'
 require 'license_finder/package_managers/cargo'
 require 'license_finder/package_managers/composer'
+require 'license_finder/package_managers/conda'
 
 require 'license_finder/package'

data/lib/license_finder/package_managers/composer.rb

@@ -4,7 +4,10 @@ require 'json'
 
 module LicenseFinder
   class Composer < PackageManager
-    SHELL_COMMAND = 'composer licenses --format=json'
+    def initialize(options = {})
+      super
+      @check_require_only = !!options[:composer_check_require_only]
+    end
 
     def possible_package_paths
       [project_path.join('composer.lock'), project_path.join('composer.json')]
@@ -33,7 +36,7 @@ module LicenseFinder
     end
 
     def prepare_command
-      'composer install --no-plugins --ignore-platform-reqs --no-interaction'
+      'composer install --no-plugins --no-scripts --ignore-platform-reqs --no-interaction'
     end
 
     def package_path
@@ -50,8 +53,9 @@ module LicenseFinder
     end
 
     def composer_json
-      stdout, stderr, status = Dir.chdir(project_path) { Cmd.run(Composer::SHELL_COMMAND) }
-      raise "Command '#{Composer::SHELL_COMMAND}' failed to execute: #{stderr}" unless status.success?
+      command = "composer licenses --format=json#{@check_require_only ? ' --no-dev' : ''}"
+      stdout, stderr, status = Dir.chdir(project_path) { Cmd.run(command) }
+      raise "Command '#{command}' failed to execute: #{stderr}" unless status.success?
 
       JSON(stdout)
     end

data/lib/license_finder/package_managers/conda.rb

@@ -0,0 +1,131 @@
+# frozen_string_literal: true
+
+require 'json'
+
+module LicenseFinder
+  class Conda < PackageManager
+    attr_reader :conda_bash_setup_script
+
+    def initialize(options = {})
+      @conda_bash_setup_script = options[:conda_bash_setup_script] || Pathname("#{ENV['HOME']}/miniconda3/etc/profile.d/conda.sh")
+      super
+    end
+
+    # This command is *not* directly executable. See .conda() below.
+    def prepare_command
+      "conda env create -f #{detected_package_path}"
+    end
+
+    def prepare
+      return if environment_exists?
+
+      prep_cmd = prepare_command
+      _stdout, stderr, status = Dir.chdir(project_path) { conda(prep_cmd) }
+      return if status.success?
+
+      log_errors stderr
+      raise "Prepare command '#{prep_cmd}' failed" unless @prepare_no_fail
+    end
+
+    def current_packages
+      conda_list.map do |entry|
+        case entry['channel']
+        when 'pypi'
+          # PyPI is much faster than `conda search`, use it when we can.
+          PipPackage.new(entry['name'], entry['version'], PyPI.definition(entry['name'], entry['version']))
+        else
+          CondaPackage.new(conda_search_info(entry))
+        end
+      end.compact
+    end
+
+    def possible_package_paths
+      [project_path.join('environment.yaml'), project_path.join('environment.yml')]
+    end
+
+    private
+
+    def environment_exists?
+      environments.grep(environment_name).any?
+    end
+
+    def environments
+      command = 'conda env list'
+      stdout, stderr, status = conda command
+
+      environments = []
+      if status.success?
+        environments = stdout.split("\n").grep_v(/^#/).map { |line| line.split.first }
+      else
+        log_errors_with_cmd command, stderr
+      end
+      environments
+    end
+
+    def environment_file
+      detected_package_path
+    end
+
+    def environment_name
+      @environment_name ||= YAML.load_file(environment_file).fetch('name')
+    end
+
+    def conda(command)
+      Open3.capture3('bash', '-c', "source #{conda_bash_setup_script} && #{command}")
+    end
+
+    def activated_conda(command)
+      Open3.capture3('bash', '-c', "source #{conda_bash_setup_script} && conda activate #{environment_name} && #{command}")
+    end
+
+    # Algorithm is based on
+    # https://bioinformatics.stackexchange.com/a/11226
+    # but completely recoded in Ruby. Like the poster, if the package is
+    # actually managed by conda, we assume that all the potential infos (for
+    # various architectures, versions of python, etc) have the same license.
+    def conda_list
+      command = 'conda list'
+      stdout, stderr, status = activated_conda(command)
+
+      if status.success?
+        conda_list = []
+        stdout.each_line do |line|
+          next if line =~ /^\s*#/
+
+          name, version, build, channel = line.split
+          conda_list << {
+            'name' => name,
+            'version' => version,
+            'build' => build,
+            'channel' => channel
+          }
+        end
+        conda_list
+      else
+        log_errors_with_cmd command, stderr
+        []
+      end
+    end
+
+    def conda_search_info(list_entry)
+      command = 'conda search --info --json '
+      command += "--channel #{list_entry['channel']} " if list_entry['channel'] && !list_entry['channel'].empty?
+      command += "'#{list_entry['name']} #{list_entry['version']}'"
+
+      # Errors from conda (in --json mode, at least) show up in stdout, not stderr
+      stdout, _stderr, status = activated_conda(command)
+
+      name = list_entry['name']
+
+      if status.success?
+        JSON(stdout).fetch(name).first
+      else
+        log_errors_with_cmd command, stdout
+        list_entry
+      end
+    rescue KeyError
+      logger.info('Conda', "Key error trying to find #{name} in\n#{JSON(stdout)}")
+      list_entry
+    end
+  end
+end

data/lib/license_finder/package_managers/dep.rb

@@ -18,11 +18,16 @@ module LicenseFinder
         GoPackage.from_dependency({
                                     'ImportPath' => project['name'],
                                     'InstallPath' => project_path.join('vendor', project['name']),
-                                    'Rev' => project['revision']
+                                    'Rev' => project['revision'],
+                                    'Homepage' => repo_name(project['name'])
                                   }, nil, true)
       end
     end
 
+    def repo_name(name)
+      name.split('/')[0..2].join('/')
+    end
+
     def self.takes_priority_over
       Go15VendorExperiment
     end

data/lib/license_finder/package_managers/go_15vendorexperiment.rb

@@ -37,11 +37,16 @@ module LicenseFinder
         GoPackage.from_dependency({
                                     'ImportPath' => dep,
                                     'InstallPath' => detected_package_path.join(dep),
-                                    'Rev' => 'vendored-' + project_sha(detected_package_path.join(dep))
+                                    'Rev' => 'vendored-' + project_sha(detected_package_path.join(dep)),
+                                    'Homepage' => repo_name(dep)
                                   }, nil, true)
       end
     end
 
+    def repo_name(name)
+      name.split('/')[0..2].join('/')
+    end
+
     def package_management_command
       'go'
     end

data/lib/license_finder/package_managers/go_dep.rb

@@ -4,6 +4,9 @@ require 'json'
 
 module LicenseFinder
   class GoDep < PackageManager
+    OLD_GODEP_VENDOR_PATH = 'Godeps/_workspace/src'
+    GODEP_VENDOR_PATH = 'vendor'
+
     def initialize(options = {})
       super
       @full_version = options[:go_full_version]
@@ -29,16 +32,20 @@ module LicenseFinder
     private
 
     def install_prefix
-      go_path = if workspace_dir.directory?
-                  workspace_dir
-                else
-                  Pathname(ENV['GOPATH'] || ENV['HOME'] + '/go')
-                end
-      go_path.join('src')
+      @install_prefix ||= if project_path.join(OLD_GODEP_VENDOR_PATH).directory?
+                            project_path.join(OLD_GODEP_VENDOR_PATH)
+                          elsif project_path.join(GODEP_VENDOR_PATH).directory?
+                            project_path.join(GODEP_VENDOR_PATH)
+                          else
+                            download_dependencies
+                            Pathname(ENV['GOPATH'] ? ENV['GOPATH'] + '/src' : ENV['HOME'] + '/go/src')
+                          end
     end
 
-    def workspace_dir
-      project_path.join('Godeps/_workspace')
+    def download_dependencies
+      command = "#{package_management_command} restore"
+      _, stderr, status = Dir.chdir(project_path) { Cmd.run(command) }
+      raise "Command '#{command}' failed to execute: #{stderr}" if !status.success? && status.exitstatus != 1
     end
 
     def packages_from_json(json_string)

data/lib/license_finder/package_managers/go_modules.rb

@@ -55,7 +55,9 @@ module LicenseFinder
         # TODO: Figure out a way to make the vendor directory work (i.e. remove the
         # -mod=readonly flag). Each of the imported packages gets listed separatly,
         # confusing the issue as to which package is the root of the module.
-        info_output, _stderr, _status = Cmd.run("GO111MODULE=on go list -mod=readonly -deps -f '#{format_str}' ./...")
+        go_list_cmd = "GO111MODULE=on go list -mod=readonly -deps -f '#{format_str}' ./..."
+        info_output, stderr, status = Cmd.run(go_list_cmd)
+        log_errors_with_cmd(go_list_cmd, "Getting the dependencies from go list failed \n\t#{stderr}") unless status.success?
 
         # Since many packages may belong to a single module, #uniq is used to deduplicate
         info_output.split("\n").uniq
@@ -74,10 +76,15 @@ module LicenseFinder
       info = {
         'ImportPath' => name,
         'InstallPath' => install_path,
-        'Rev' => version
+        'Rev' => version,
+        'Homepage' => repo_name(name)
       }
 
       GoPackage.from_dependency(info, nil, true)
     end
+
+    def repo_name(name)
+      name.split('/')[0..2].join('/')
+    end
   end
 end